I live in an apartment building that provides "free" internet along with the rent.

Previously I had been using a separate router for my apartment, but this led to a double NAT issue and slower speeds. Recently, I replaced the Router with a switch to avoid the double NAT problem and set the router up as a wireless access point. This, however, means that it is possible (but unlikely) that other tenants will attempt to access my network.

I really like using the switch because I get much faster speeds and the network is more reliable, but I don't like the idea of having my network open to the rest of the building. What can I do to limit access to my network while preserving these speeds?

If I understood the situation correctly, you have a LAN in this apartment building already. Your just plugging your PC into it and it's assigned an IP address and so on? I guess if anyone on the LAN was remotely aware of how networking goes, they could access files, home shares etc...

Either firewall your PC, and turn off network sharing services and make sure your machine has a password. Failing that (or if your connecting various devices), look into buying a more sophisticated managed network switch or access point from someone like Cisco?

You can apply a hardware firewall at the switch level, as well as MAC address filtering on top of that. They should not slow down your actual thruput, and at the very worst just increase latency by a few milliseconds?

Double NAT shouldn't slow your speeds, more cause problems with applications trying to work through the NAT and getting addresses wrong or unable to open up external ports. It may just be that you need a faster router to do your part of the NAT.

I've looked a little bit into hardware firewalls, but those seem to be around $200 and I really don't want to pay that much.

I would like file sharing within my network so turning simply turning file sharing off is not an option.

As notfred alluded to above, you might be able to make use of more capable router. But if you want to turn sharing on for your own separate network, you need a router, period. Routers are the devices that separate networks, be they of the crappy Wal-mart variety or the four-figure Cisco variety.

Heh, this thread reminds me to fix the double-NAT on the WiFi at work. I just went on vacation, too.

Double-NAT does have its issues, but I'm not sure that it would have noticeable impact on speeds. If you know what the subnet mask is, you might carve out a slice for yourself at one of the extreme ranges by using static IP's or clever use of DHCP in your router. Most home routers will actually answer to DHCP out the WAN port, so be careful of that.

Anyway, you could strike up a conversation with the super and see how they could accommodate your home network. If their service is sophisticated enough, they might be able to put your router in DMZ, or if really ritzy, put all your machines in DHCP reservations.

My solution would be to put an old machine into service using pfSense with a couple of NICs. You could also hang a WAP off of it, if you wish. This setup would allow you to just route and firewall traffic while still using DHCP from the building. In essence creating a small network using the apartments' IP address range, but keeping out unwanted traffic and killing off the double NAT. Good luck!

it is possible (but unlikely) that other tenants will attempt to access my network.

If it is a large apartment building it is probably likely, not unlikely. Furthermore, if you're all on the same LAN it takes just one person in the building with an open (or easily hackable) WiFi access point to expose you to anyone who happens to drive past.

kumori wrote:

I've looked a little bit into hardware firewalls, but those seem to be around $200 and I really don't want to pay that much.

Well, if the problem is really the double-NATting that's not going to help anyway, since the firewall is probably going to do NAT too unless you do something more involved like drsauced suggested.

I tend to agree with notfred - probably your existing NAT router is just too slow. If it is more than a few years old it was probably designed back when most people had less than 10 Mbit broadband.

The years just pass like trains. I wave, but they don't slow down.-- Steven Wilson

Since I've gotten rid of the double NAT its been much easier to connect to lobby's for online gaming and streaming video has become more stable. I use a proxy and it seems to have been somehow affected by the double NAT. I'd like to keep this if possible, but (as stated before) I don't like the idea of having a wide open network.

Airmantharp wrote:

As notfred alluded to above, you might be able to make use of more capable router. But if you want to turn sharing on for your own separate network, you need a router, period. Routers are the devices that separate networks, be they of the crappy Wal-mart variety or the four-figure Cisco variety.

I have a Linksys E3000 (stock firmware). Would this really be slow enough to cause an issue and would flashing Tomato USB help? I normally get about 40mpbs down and up and sometimes as high as 65mbps.

drsauced wrote:

Anyway, you could strike up a conversation with the super and see how they could accommodate your home network. If their service is sophisticated enough, they might be able to put your router in DMZ, or if really ritzy, put all your machines in DHCP reservations.

Also, I live in a 18 story apartment building that is operated/serviced by four or five different companies. I don't think they're going to agree to make changes to their IT equipment to accommodate me so that's not possible. It's more of a question of what I can do on my end.

drsauced wrote:

My solution would be to put an old machine into service using pfSense with a couple of NICs. You could also hang a WAP off of it, if you wish. This setup would allow you to just route and firewall traffic while still using DHCP from the building. In essence creating a small network using the apartments' IP address range, but keeping out unwanted traffic and killing off the double NAT. Good luck!

I like the idea of setting up an old machine and operating it as a firewall, but I don't have any old machines (besides a netbook).

EDIT:

I'm looking at something like this to use as an appliance to run pfsense. I'm a little concerned that the LAN ports are Via 10/100 ports while everything else on my network is gigabit.

EDIT:

Benchmarks make it seem like these ALIX units are only good for around 60mbps. That's awful close to what I'm getting which makes me a little nervous.

Last edited by kumori on Fri Jul 05, 2013 2:37 am, edited 2 times in total.

The cheapest way to get into this is to find a old desktop that nobody wants. I'm sure if you ask around someone has one they want to get rid of, or you could find a used PC shop with one for cheap. I'd look for one with 1GB of RAM, a Core 2 Duo or Phenom, and Intel NICs, preferably PCIe NICs.

Is the switch a 10/100/1000 switch, and is the apartment building running at gigabit speeds behind their firewall?

Yes, my switch is gigabit, but what I'm actually concerned about with the firewall is that the 500mhz chip is not enough form my bandwidth. According to the pfsense site, 500mhz should be good for around 50mpbs assuming decent NICs.

Is the switch a 10/100/1000 switch, and is the apartment building running at gigabit speeds behind their firewall?

Yes, my switch is gigabit, but what I'm actually concerned about with the firewall is that the 500mhz chip is not enough form my bandwidth. According to the pfsense site, 500mhz should be good for around 50mpbs assuming decent NICs.

What is the speed of the building's internet service? By virtue of having a switch, traffic that's in its MAC table will be switched to the right port with little interference from whatever CPU is in the router, thus full speed ahead. It might also be worth noting that CPU's are different than the ASICs inside home routers and switches, so not directly comparable. In my opinion, anyway.

That all said, you just might need to take the performance hit to keep your bit of the network secure and reliable. Jus sayin

Switching to Tomato is only half a fix. You have a few issues conflated here.

You are not having bandwidth problems through the E3000. I have an E3000 and used it briefly to route/control the new 300mbps/100mbps connection here at work, and it was able to provide the entire amount.

What you describe with flaky game lobbies/video services has everything to do with double NAT and nothing at all to do with bandwidth. If you're not 100% clear on what NAT or double NAT is, that's a fine place to start.

Basically, you were not able to open any ports for incoming traffic while double NATted. That was your issue. What you really need to do is convert that Tomato/E3000 machine into a little bitty stateful firewall, don't bother having it do DHCP or routing. Configuring it to allow any traffic to/from the building's router and deny all to all other local IPs that are on the outside of the firewall would be a really good start and provide 99% of what you're describing.